From ae2453850ebfe89c99de0b231e1f9c7704d98822 Mon Sep 17 00:00:00 2001
From: Sloane Hertel <shertel@redhat.com>
Date: Thu, 17 May 2018 01:47:07 -0400
Subject: [PATCH] aws_ec2 inventory plugin: backport/2.5/40240 (#40277)

* Add fallback check for IAM role temp creds (#40240)

* Add fallback check for IAM role temp creds

(cherry picked from commit d5a5e37fcf39de757ebe66bb239d9b9a5837b9ab)

* changelog

* Fix changelog

* Fix fix changelog
---
 ...c2_inventory_fallback_to_instance_role_credentials.yaml | 3 +++
 lib/ansible/plugins/inventory/aws_ec2.py                   | 7 +++++++
 2 files changed, 10 insertions(+)
 create mode 100644 changelogs/fragments/aws_ec2_inventory_fallback_to_instance_role_credentials.yaml

diff --git a/changelogs/fragments/aws_ec2_inventory_fallback_to_instance_role_credentials.yaml b/changelogs/fragments/aws_ec2_inventory_fallback_to_instance_role_credentials.yaml
new file mode 100644
index 00000000000..f9635498c3d
--- /dev/null
+++ b/changelogs/fragments/aws_ec2_inventory_fallback_to_instance_role_credentials.yaml
@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - Fallback to instance role STS credentials if none are explicitly provided for the aws_ec2 inventory plugin
diff --git a/lib/ansible/plugins/inventory/aws_ec2.py b/lib/ansible/plugins/inventory/aws_ec2.py
index 6254abdc227..9d3f2cf91d4 100644
--- a/lib/ansible/plugins/inventory/aws_ec2.py
+++ b/lib/ansible/plugins/inventory/aws_ec2.py
@@ -440,6 +440,13 @@ class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable):
         self.aws_secret_access_key = self._options.get('aws_secret_access_key')
         self.aws_security_token = self._options.get('aws_security_token')
 
+        if not self.boto_profile and not (self.aws_access_key_id and self.aws_secret_access_key):
+            session = botocore.session.get_session()
+            if session.get_credentials() is not None:
+                self.aws_access_key_id = session.get_credentials().access_key
+                self.aws_secret_access_key = session.get_credentials().secret_key
+                self.aws_security_token = session.get_credentials().token
+
         if not self.boto_profile and not (self.aws_access_key_id and self.aws_secret_access_key):
             raise AnsibleError("Insufficient boto credentials found. Please provide them in your "
                                "inventory configuration file or set them as environment variables.")